#!/usr/bin/env python3 """ Generate a PCF font that exercises the bitmap scaler path (ZDI-CAN-30558). The original bug: BitmapScaleBitmaps uses an 'unsigned int' (32-bit) bytestoalloc accumulator. With many glyphs scaled to a large size, the sum wraps around, causing an undersized calloc followed by heap overflow. This test font has 64 small glyphs (1x2 pixels). When loaded at a large pixel size via the scaler, each glyph expands significantly. With the fix (size_t + overflow check), the library either: - Succeeds with a properly-sized allocation (64-bit) - Rejects the font cleanly (overflow check on 32-bit) Usage: python3 gen_evil_pcf_bitmapscale.py Creates /evil-scale.pcf and /fonts.dir The font is stored at pixel=1; opening at pixel=1000 triggers scaling. """ import struct import sys import os PCF_DEFAULT_FORMAT = 0x00000000 PCF_PROPERTIES = 1 PCF_ACCELERATORS = 2 PCF_METRICS = 4 PCF_BITMAPS = 8 PCF_BDF_ENCODINGS = 32 def u32(x): return struct.pack(" 1 else "." os.makedirs(output_dir, exist_ok=True) pcf_name = "evil-scale.pcf" # Stored at pixel=1; test opens at different pixel to trigger scaler xlfd = "-evil-scale-medium-r-normal--1-10-75-75-c-10-iso10646-1" with open(os.path.join(output_dir, pcf_name), "wb") as f: f.write(out) with open(os.path.join(output_dir, "fonts.dir"), "w") as f: f.write("1\n") f.write(f"{pcf_name} {xlfd}\n") # fonts.scale declares the font as scalable (pixel, point, avgwidth = 0) # so the scaler path is used when a different size is requested. scalable_xlfd = "-evil-scale-medium-r-normal--0-0-75-75-c-0-iso10646-1" with open(os.path.join(output_dir, "fonts.scale"), "w") as f: f.write("1\n") f.write(f"{pcf_name} {scalable_xlfd}\n")